Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

user not in /etc/sudoers #3

Open
lalkh opened this issue Mar 25, 2021 · 6 comments
Open

user not in /etc/sudoers #3

lalkh opened this issue Mar 25, 2021 · 6 comments

Comments

@lalkh
Copy link

lalkh commented Mar 25, 2021

excuse me,I have learned a lot from your exploit methods。And I found it necessary that the user should be in /etc/sudoers when I use exploit_userspec.py,if the user is not in /etc/sudoers,is it possible to exploit?
@worawit
Copy link
Owner

worawit commented Mar 25, 2021

No. The user is not in /etc/sudoers should be easier.

the checking function iterates from last rule to first rule.
If the user is NOT in sudoers, overwriting only first userspec is enough.
If the user is in sudoers, you have to overwriting first userspec (for cleanup without a crash) and a userspec before the user one (because iterating do "curr->prev->prev->next" instead of "curr->prev").

Note:

  • current exploit_userspec.py does not work when only 1 rule is in /etc/sudoers (including rules in /etc/sudoers.d/*). might fix if this case exists
  • if the user is in /etc/sudoers (and no explicit PASSWD in the rule), you can overwrite only defaults (see exploit_defaults_mailer.py as an example) by setting def_authenticate to 0

@lalkh
Copy link
Author

lalkh commented Mar 26, 2021

Note:
current exploit_userspec.py does not work when only 1 rule is in /etc/sudoers (including rules in /etc/sudoers.d/*). might fix if this case exists
yes, this situation is what I faced,because I‘m not clear what kind of data I have to overwrite. I have to say bruteforce stack_addr is really a genius idea,I found 0x7ffxxxx00000 is always 0x7ffexxx00000 on my system,I have modified that and It works on my system. By the way, It would be awesome that you would implement that scenario.

@worawit
Copy link
Owner

worawit commented Mar 28, 2021

I added support 1 rule in /etc/sudoers for exploit_userspec.py.

Can you try it and give me a result?

@lalkh
Copy link
Author

lalkh commented Mar 30, 2021
edited
Loading

Yes, It is now work on my system. And I found it doesn't work on my ubuntu16.04.6

offset to first userspec: 0x370
offset_max: 0x280
offset_min: 0x180
at range: 0x0-0x70

cmnd size: 0x1230
offset to defaults: 0x60
offset to first userspec: 0x370
offset to userspec: 0x1d0

to skip finding offsets next time no this machine, run:
exploit_userspec.py 0x1230 0x60 0x370 0x1d0
invalid offset. exit code: 139

@lalkh lalkh closed this as completed Mar 30, 2021
@lalkh lalkh reopened this Mar 30, 2021
@worawit
Copy link
Owner

worawit commented Mar 30, 2021

I totally forgot this case. Ubuntu 16.04 apport is enabled by default. So exit status is coredump (128) + sigsegv (11).

Fixed it.

Note: apport does coredump on all sigsegv, so the exploit will run much slower.

@lalkh
Copy link
Author

lalkh commented Apr 14, 2021

When I was in docker,I think the chunks have some difference. bruteforce cannot success even I closed ASLR and use a correct stack addr.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@worawit @lalkh